Re: NAT64 in RA, draft-ietf-6man-ra-pref64
David Farmer <farmer@umn.edu> Tue, 02 July 2019 14:05 UTC
Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0327E1200B6 for <ipv6@ietfa.amsl.com>; Tue, 2 Jul 2019 07:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcp9ylBaglKo for <ipv6@ietfa.amsl.com>; Tue, 2 Jul 2019 07:05:49 -0700 (PDT)
Received: from mta-p6.oit.umn.edu (mta-p6.oit.umn.edu [134.84.196.206]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2700120041 for <ipv6@ietf.org>; Tue, 2 Jul 2019 07:05:49 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id F2E0BD2C for <ipv6@ietf.org>; Tue, 2 Jul 2019 14:05:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bptwWgTT7Uv8 for <ipv6@ietf.org>; Tue, 2 Jul 2019 09:05:48 -0500 (CDT)
Received: from mail-vs1-f71.google.com (mail-vs1-f71.google.com [209.85.217.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id A7110D21 for <ipv6@ietf.org>; Tue, 2 Jul 2019 09:05:48 -0500 (CDT)
Received: by mail-vs1-f71.google.com with SMTP id v20so4922099vsi.12 for <ipv6@ietf.org>; Tue, 02 Jul 2019 07:05:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jLNnICAEFL4W33XQ0LO037u8tFRMkRsbujUNgk1ED7Q=; b=WfirMrOqOgoCtWIgZ6PxOOdmw5r2Umh+ONRLqdBKJ7SLA4OwSS44Z1/aIePO+tQoXw QkJOkWmk9deyTdnXHifjHh8MOioju6DQOWSw2FCV8h9QnbtGyS3ncwp42GF6YeVLi8FE D6lt/ygK2ACBHtaWXeWO/Wi9Xj/Q5Q9F1NSauvumrgxCJ318zEF0Wz9JMtbT1SLZysRY /HB/rYzS2ySkx/x3uXVm5w8d0qUpBdxHaEZcDdz6oONfLs48kV74ummLBV3yJDoRqWSe aGQWqUKJiqiDRwK0IWZHwkLiUpt2/w8Q0opFeDPhbqMGkbLUKNp34RZE5iFwQvrmdF/K YAiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jLNnICAEFL4W33XQ0LO037u8tFRMkRsbujUNgk1ED7Q=; b=pzEfqEfd9ENxNHARJZdMYcPJl6EbzSbQLfF9Yd+Y1pT2ZMHO2rb86pGkK5esx8G1wy BYfVz8MS3F6ev0ekouqpDjSEJwgkCcqVk3B6vRSHzeD2jLlu/pG7y9PKZyqGwo3RGFNu 8MHm+fTK7Ds6G+2fqld8jvu9OWanvKl7lba4YZHtEDhiC88Dz08FWWo6NHdHwK8MEgAO 1fkPSL16Cvl2dIrHJzKcCh/ffNLtMI9+9U2w+7cCT1qhSyu+EFbGRquNDBCkoHh9iO3i E1TDY7eL0/yxB1tNS6hoJrrZKm1w45QIKGnDSE76s+za63nYUzBF5j+QTmc/LCWoPBXD htow==
X-Gm-Message-State: APjAAAXqwGKx8/NrvVijUB6ldgMnRG+ZlDcyAnHqlGV82BXLl5Cq5JI1 yTlBtOtt+OEePKAZfdwjIIbLHxWO+jxaKs9H89hcCiSyTqZ0LgV+kkO1LYZ94xMxavQ0h18tE36 Il+gQ/dPwSkN2ICD9ARwuI5zf
X-Received: by 2002:a9f:2650:: with SMTP id 74mr15036093uag.133.1562076347242; Tue, 02 Jul 2019 07:05:47 -0700 (PDT)
X-Google-Smtp-Source: APXvYqx+DrwNBdZDly4KjojGmLJFlI5z7We2HWgJySS1HRRJr61+xytR8i13F9vVo+KQIDdN51L2cttW/zlfwSXXZJw=
X-Received: by 2002:a9f:2650:: with SMTP id 74mr15036061uag.133.1562076346634; Tue, 02 Jul 2019 07:05:46 -0700 (PDT)
MIME-Version: 1.0
References: <12187.1558972629@localhost> <D3C7EB41-02E8-48D6-9335-26A041FD64C2@isc.org> <00C00FE5-C7CD-4B99-A2C9-CCBFCB1E4850@isc.org> <CAFU7BASfJ4YS6xBzK8hNJRSMnFZmdn3VE5A=sPCC3JqRa8SQEQ@mail.gmail.com> <EC63A89D-26CD-4093-8814-4461B6D3D327@isc.org> <CAFU7BASsAwitEc==Zj6qT4izy-tFosg23DHXFVVzOixidEfMFA@mail.gmail.com> <CAKD1Yr3jDTS25ERGZYDDM9yRRTxEfY4Ltcd-QgFNor6ze2G7xA@mail.gmail.com> <6053.1561748461@localhost> <CAFU7BAR9kmnk3Q9aOpsqGFVRZkiRXb0FkZjMXWG2gN0-o1MjGw@mail.gmail.com> <0167874A-F2B4-434A-B674-792FE3AD0E2D@gmail.com> <CAFU7BAT2zw2+EnLW_MZnj2L9RBwH2DyStgRUbaY6bCZLuJwG9g@mail.gmail.com> <CAKD1Yr2mzeVzXFmzh3N21MCr-sg1xJ9D67TPqvEd9YffCrzdqA@mail.gmail.com> <CAN-Dau3qMAH0KAfahjFgN2-mMttmwpM4wEt4vypAxZcvUXB=gQ@mail.gmail.com> <CAKD1Yr3tm==UMQmuiO5EGv=YM1a0VxPa_5_0ywQQrouPo4SgCQ@mail.gmail.com>
In-Reply-To: <CAKD1Yr3tm==UMQmuiO5EGv=YM1a0VxPa_5_0ywQQrouPo4SgCQ@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Tue, 02 Jul 2019 09:05:30 -0500
Message-ID: <CAN-Dau3K+qUsU3a6n4MCOL0aE36bKJPSWozfB7oxJSembXVCbg@mail.gmail.com>
Subject: Re: NAT64 in RA, draft-ietf-6man-ra-pref64
To: Lorenzo Colitti <lorenzo@google.com>
Cc: Jen Linkova <furry13@gmail.com>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0e22c058cb33dbb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/n_ezh4Y3rVjCA582ziEDHXBwFJE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 14:05:52 -0000
On Tue, Jul 2, 2019 at 7:51 AM Lorenzo Colitti <lorenzo@google.com> wrote: > On Tue, Jul 2, 2019 at 9:09 PM David Farmer <farmer@umn.edu> wrote: > >> Right. That was the gist of my earlier comment. I believe we all agree >>> that in the most common deployment scenario (i.e., an IPv6-only host with >>> no IPv4), an exclusion list is not useful, because the host really can't >>> reach anything that's not reachable via IPv6. >>> >> >> I mostly agree, but there is a scenario I've been thinking about; >> >> What if the network operator doesn't want RFC1918 and RFC 6598 IPv4 >> addresses synthesized at all? I suppose the NAT64 function could block >> these addresses. However, for a large enough population that could be a lot >> of useless traffic going to the NAT64 function. While on the other hand >> some network operators, especially enterprise operators, will probably want >> these addresses synthesized. >> > > Hmm... but why will hosts want to send traffic to those addresses? Hosts > (especially IPv6-only hosts) won't just arbitrarily decide to connect to > RFC1918 addresses of their own accord. They will only do that if there is a > reason to do so - for example, if there is an A record in the DNS pointing > at such addresses. > You partly answer this below, it happens all the time in IPv4 today. There is a reason we have AS112, there is a ton of junk out there. Yes, AS112 is a different problem, but I still think it illustrates the scale of the problem. RFC1918 addresses are everywhere and they leak everywhere too. > But why would the network operator publish A records in the DNS for IP > addresses that it intentionally wants to make unreachable from some hosts? > What is the reason for doing so compared to obvious alternatives such as a) > don't publish said A records, or b) publish said A records together with > corresponding AAAA records? > One of the reasons we want this RA option is that clients are configured with DNS servers not provided by the network operator. So even if the network operator doesn't put these addresses in their DNS, the client could be using a DNS server serving these addresses to it. For example, what if the client is hard configured with an enterprise DNS server? Then there are all the DNS games VPN clients play. As I said, the NAT64 function can block this but then it has to receive the traffic just to drop it. Maybe it's just the price we have to pay for all the brokenness in IPv4. > Also, this problem already exists today in IPv4. Any IPv4-only or > dual-stack host asked to connect to an RFC1918 address will send packets to > it, regardless of whether the address is reachable and of whether it's in > the same NAT domain as the host. For example, applications using STUN, such > as video chat applications, will often try all addresses advertised by the > remote host, even in the common case that the remote host is in a different > NAT domain (e.g. video chat between two residential users each of whom is > behind their own NAT). > > Now a complicated APL capability isn't probably needed to handle this, a >> simple one-bit option flag or two would suffice, I believe. >> > > In the common case of a /96 prefix I don't think there are any bits left > in the current packet format without increasing the size of the option from > 16 to 24 bytes. > >> If we don't provide a mechanism to configure this, then clients implementing this feature MUST synthesize DNS entries for RFC1918 and RFC6598 IPv4 addresses received in A records, and it is up to the NAT64 function to apply an appropriate local policy for these addresses. I think other special purpose IPv4 addresses MAY be safely excluded from DNS synthesize. Thanks -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
- NAT64 in RA, draft-ietf-6man-ra-pref64 Michael Richardson
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Michael Richardson
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Lorenzo Colitti
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Michael Richardson
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Michael Richardson
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Michael Richardson
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Lorenzo Colitti
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Lorenzo Colitti
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Fred Baker
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Erik Kline
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Lorenzo Colitti
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 David Farmer
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Lorenzo Colitti
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 David Farmer
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 JORDI PALET MARTINEZ
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Mudric, Dusan (Dusan)
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Fred Baker
- RE: NAT64 in RA, draft-ietf-6man-ra-pref64 Mudric, Dusan (Dusan)
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- RE: NAT64 in RA, draft-ietf-6man-ra-pref64 Mudric, Dusan (Dusan)
- RE: NAT64 in RA, draft-ietf-6man-ra-pref64 Manfredi (US), Albert E
- RE: NAT64 in RA, draft-ietf-6man-ra-pref64 Mudric, Dusan (Dusan)
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 Gert Doering
- RE: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 Mudric, Dusan (Dusan)
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 David Farmer
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 JORDI PALET MARTINEZ
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 Jen Linkova
- RE: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 Mudric, Dusan (Dusan)
- RE: NAT64 in RA, draft-ietf-6man-ra-pref64 Mudric, Dusan (Dusan)
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 JORDI PALET MARTINEZ
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 JORDI PALET MARTINEZ
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 JORDI PALET MARTINEZ
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 JORDI PALET MARTINEZ
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 JORDI PALET MARTINEZ
- Re: [v6ops] NAT64 in RA, draft-ietf-6man-ra-pref64 Mark Andrews
- Re: NAT64 in RA, draft-ietf-6man-ra-pref64 David Farmer